Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 40 subscribers
  • Views 2391 views
  • Users 0 members are here
Options
Suggested

How to troubleshoot Synchronized User ID Issues

seroal

Hi,

we want to use SynchronizedUser ID Auth, but we are stuck, the users are not being created on the Firewall. Is there an advice for troubleshooting? How to proceed? How can I get an idea, where the root cause could be?

I already read through this:

 Sophos Firewall: Heartbeat stops showing any endpoint clients on GUI 

Thanks.



Added TAGs
[edited by: emmosophos at 5:11 PM (GMT -7) on 30 May 2024]
  • 0

    Firewall and endpoint are registered within same Account in central?
    Feature "Security Heartbeat" is enabled within Firewall / Central ?


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • 0 in reply to dirkkotte

    Yes to both questions... There is an improvment, the domain configured for ad server was wrong. But we still don´t see all users, that are logged in on clients with Endpoint Protection installed...

  • 0 in reply to seroal

    access_server.log Logfile with debug mode enabled also does not show anything about that user. In the SntpService.log we can see "Session logon for:" events while logging in to that machine.

  • 0 in reply to seroal

    For users appearing in the firewall, we can see such entries...:

    INFO May 31 06:14:27.084760Z [access_server]: print_auth_tlv: -----------------AUTH_TLV--------
    INFO May 31 06:14:27.084769Z [access_server]: print_auth_tlv: TLV Type: 0
    INFO May 31 06:14:27.084778Z [access_server]: print_auth_tlv: TLV Length: 4
    INFO May 31 06:14:27.084787Z [access_server]: print_auth_tlv: ---------------------------------
    DEBUG May 31 06:14:27.084795Z [access_server]: (process_sso_client_login_request): clienttype: 33
    INFO May 31 06:14:27.084806Z [access_server]: print_auth_tlv: -----------------AUTH_TLV--------
    INFO May 31 06:14:27.084813Z [access_server]: print_auth_tlv: TLV Type: 1
    INFO May 31 06:14:27.084821Z [access_server]: print_auth_tlv: TLV Length: 8
    INFO May 31 06:14:27.084829Z [access_server]: print_auth_tlv: ---------------------------------
    DEBUG May 31 06:14:27.084840Z [access_server]: (lc_utf8_bytes): lowercase = 'testusr1'
    DEBUG May 31 06:14:27.084852Z [access_server]: (process_sso_client_login_request): username: 'testusr1'
    INFO May 31 06:14:27.084862Z [access_server]: print_auth_tlv: -----------------AUTH_TLV--------
    INFO May 31 06:14:27.084869Z [access_server]: print_auth_tlv: TLV Type: 15
    INFO May 31 06:14:27.084876Z [access_server]: print_auth_tlv: TLV Length: 11
    INFO May 31 06:14:27.084882Z [access_server]: print_auth_tlv: ---------------------------------
    DEBUG May 31 06:14:27.084891Z [access_server]: (lc_utf8_bytes): lowercase = 'test.de'
    DEBUG May 31 06:14:27.084899Z [access_server]: (process_sso_client_login_request): domainname: test.de
    INFO May 31 06:14:27.084939Z [access_server]: print_auth_tlv: -----------------AUTH_TLV--------
    INFO May 31 06:14:27.084946Z [access_server]: print_auth_tlv: TLV Type: 5
    INFO May 31 06:14:27.084954Z [access_server]: print_auth_tlv: TLV Length: 12
    INFO May 31 06:14:27.084961Z [access_server]: print_auth_tlv: ---------------------------------
    DEBUG May 31 06:14:27.084971Z [access_server]: (process_sso_client_login_request): ipaddress: 1.2.3.4
    INFO May 31 06:14:27.084980Z [access_server]: PCA called for 1.2.3.4

    Are there specific log entries regarding problems/erros one can search for?

  • 0

    Do you have Logviewer entries for Authentication? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    We have some entries, but many are missing... 

  • 0 in reply to seroal

    Are there failed logins, if so, could you share the entries? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Currently, there are not failed logins. What I figured out is, that the customer has different Names for samaccountname and UPN. So when samaccountname for example ist test, the upn could be like j.anders@localdomain.de. Could this be an issue in some cases? I mean, there are users with that scheme, at least shown as logged in on that firewall. But what about users not showing up at all. In this case, we have a server with serverprotection and the user is logging in to that machine. But the user won´t show up as live user. Where can we start now? Supportcase is already created.

  • 0 in reply to LuCar Toni

    Here:  Synchronized User ID and username with domain name not working 

    You wrote: "Endpoint should send the FQDN (domain.toplevel) + user name."

    If this is still the case, where can I see, what the endpoint is sending? Is that shown in the endpoint logs? If yes, I would say the endpoints sends this:

    2024-05-30T12:29:17.685Z [ 8904: 7348] A Session logon for: CUSTOMERDOMAIN\username
    2024-05-30T12:32:04.299Z [ 8904: 7348] A Session logoff for: CUSTOMERDOMAIN\username

  • 0 in reply to seroal

    In this thread FloSupport mentioned:

    "To follow up regarding Ste it was related to the known behaviour regarding: "UPN must be identical to sAMAccountName to make the login successful as the sAMAccountName is used by the XG Firewall and not the UPN.""

    Does this still apply or is this not a requirement anymore? At least nothing is documented afaik.

Unfiltered HTML